Powering regulatory compliance
Transcript
Powering regulatory compliance
Powering regulatory compliance Executive brief PLM Software Answers for industry. Powering regulatory compliance According to a recently released report from analysts at AMR Research, U.S. companies plan to spend $15.5 billion in 2005, and $80 billion between 2005 and 20091 to ensure that they comply with an extensive range of regulatory requirements, both domestically and abroad. The lion’s share of that sum will be spent on technology to support compliance issues and on people to use it. Respondents to the AMR Research survey reported that their technology dollars will go collaboration/training/e-learning, enterprise applications, compliance management software and performance management – in that order.2 AMR Research further reports, “technology is a necessary component for addressing compliance. In fact, it grew by 50 percent between 2004 and 2005 estimates.” 3 It’s a great deal of money – but lack of attention to compliance opens companies to the risks of very large fines and missed contractual or customer commitments, not to mention Most strategic technology evaluation in 2005 to support compliance issues 27% Security (internal/external) Document/records mgmt. 21% Reporting/risk mgmt. 13% Business/process mgmt. 12% Collaboration/training/ e-learning 8% Enterprise apps 8% Compliance mgmt. software 6% Performance mgmt. 6% Based on total respondents, n=221 Source: AMR Research, 2005 into internal and external security, document/records management, reporting/risk management, business process management, public outrage that can endanger current and future markets. The whole company will be impacted by hefty fines or product failures. Companies can strengthen their compliance initiatives by including product lifecycle management (PLM) as they develop an overall “compliance framework.” Inclusion of PLM enables companies to meet these demands in order to: • Achieve regulatory compliance as part of a product lifecycle strategy • Reduce the risk of noncompliance and improve efficiencies and cost of reporting • Eliminate outdated information thereby saving storage space and cost • Reduce business risks through managed compliance processes • Ensure consistent creation, management and change control of regulatory documents • Ensure that regulated product capabilities are tracked and managed as product goes to market Regulatory compliance has become a top-level executive initiative for many of today’s leading corporations across a wide range of industries. Most companies plan to address compliance issues across their entire company, and for international corporations, it requires a global strategy. Control environment Executive management Business Business Business Business process process process process finance manufacturing logistics etc. document and record management, configuration mangaement, change management, workflow, subscription and notification services, security and access control, system audit management, reporting Over two-thirds of companies said that they plan to add to or improve their current compliance management systems and companies that continue to address mandates imposed by their customers – noteworthy in the manufacturing sector – anticipate more aggressive growth intentions. “Interestingly, business executives have more aggressive designs to increase spending on compliance than their IT equivalents, 8.6 percent versus 3.8 percent positive growth,” the report says.4 Application controls IT general controls essential part of their compliance strategy. Compliance starts early in the innovation process as teams define both product and process capabilities. PLM ensures that repeatable processes with phased-gated sign-offs are in place to enable traceability that can be checked throughout the innovation through manufacturing process. PLM also plays a significant role in the identification of product capabilities which are predetermined by regulatory governance. Identified product capabilities can be traced and managed throughout the innovation process, thereby ensuring that when a product comes to market it meets the regulatory requirements. Some regulations are specific to particular industries. Some are specific to individual countries. Some are common to U.S. companies – whether they operate solely domestically or internationally. Based on their industry, companies are required to prove compliance with different regulations at different stages in a product’s lifecycle. Businesses in the aerospace and defense industry are pressed by Many compliance initiatives focus on auditing and traceability but fall short of including product lifecycle management (PLM) as an 3 International Traffic in Arms Regulations (ITAR) weapons security requirements. Manufacturers may have to comply with extended producer responsibility (EPR) legislation and its environmental protection subsets – Restriction on the use of certain Hazardous Substances (RoHS) in the EU and China; Waste of Electric, Electronic Equipment (WEEE); and End of Life Vehicle Directive (ELV), or Process Visibility and Integrity Medical Compliance requirements. As different as the individual regulations may be, they all have some compliance issues in common – and these demand the establishment of automated systems and processes to handle the documentation necessary for compliance. The first step consists of understanding that compliance is a manageable process. Companies clearly need to invest in a compliance framework to meet these demands. “Managing information to support compliance is an enormous challenge for business and IT professionals. Organizations of all sizes need an action plan for achieving compliance and mitigating risk in today’s new world,” states the May 2004 AMR Research report “The Product Lifecycle Management Report, 2003-2008.” 5 Control environment Enterprise awareness and ownership • Fiscal and financial compliance (e.g. SOX) • ELV (end of life vehicle) • RoHS, WEEE • 21 CFR Part 820, 11 • ITAR • RMA Application controls Process visibility and integrity Management of information, access and retrieval IT general controls Common to all regulatory compliance is management of information access, retrieval and retention; process visibility and integrity; and enterprise awareness and ownership of both the regulations and the process of complying with them. Compliance-related information consists of a mix of engineering models and drawings, contracts, procurement documents, emails, specifications – just to name a few – kept together with retention times and disposition schedules. The vast number of documents and computer files have to be managed throughout the product lifecycle – from concept to manufacturing planning, to sourcing, to physical manufacturing, maintenance and end-of-life disposition. It makes sense to employ product lifecycle management (PLM) software, probably already in use or under consideration, to manage the product-related information across internal disciplines and departments and to manage compliance with regulations that govern different stages of the product lifecycle. The tools required for both kinds of management processes exist in well-designed PLM systems. Many people need access to the documents and records that provide evidence of compliance, so that they can all work together to support it. This holds true for design engineers, manufacturing engineers, sourcing and procurement personnel, as well as top executives. Only in that way can the corporation be sure of individual employee accountability for compliance throughout the product lifecycle. Tools such as automated workflow and process management can make it much easier to provide systematized access for everyone in his or her role within the system. The same tools ensure process visibility and integrity, by providing secure access to authorized, authenticated users. And the best tools work within standard best practice rules and definition of roles, again throughout the product lifecycle. Manufacturing companies have no real choice. They have to achieve regulatory compliance. The AMR Research report says, “companies that see the big compliance picture will put these mandates to work for them – compliance as the catalyst to improve, even rethink parts of their business.” 6 With regulatory and customer mandates in mind, forward-thinking companies can think of compliance as a positive business driver. A possible down-side, however, is that meeting regulatory demands can have a serious negative impact on cost and Legal and regulatory costs Profit margins time-to-market. This need not happen. Software solutions now available can ease the process once companies understand that compliance is indeed a process and not just an onerous onetime project. Responsibility for ensuring regulatory compliance is part of the job descriptions of chief financial and operating officers – and certainly CFOs and COOs will be held responsible by the company. The chief information essential criteria that must be met for products and companies to succeed. Failure to meet these criteria can mean the loss of contracts, the loss of customers and ultimately, the loss of jobs. Another way to look at compliance is as a framework for accountability throughout the whole product lifecycle – from early product development, to maintenance, to obsolescence and even to end-of-life processes that have to be documented. officer (CIO) is normally responsible for finding and deploying technology to support compliance efforts. From there, the accountability hands off to the various departments involved 6 in product development. Regulatory requirements need to be treated the same as any other product requirement – as A spokesman for a global electronics manufacturing company recently pointed out that the management of information for regulatory compliance is similar to that for managing quality in a program based on Six Sigma. The latter requires adherence to a strict set of processes and metrics, which the company’s PLM system has helped the organization standardize. The same applies to compliance with a variety of financial and environmental regulations. “We can store all standard operating procedures in the system, so that different authorized people can pull down anything necessary to ensure regulatory compliance,” he said. Similarly, an IT executive for a manufacturer of medical products recently reported that his industry is faced with frequently changing regulations from the FDA – and that the company depends on its PLM system to pull information together to help meet the need for regulatory compliance documentation, and to keep pace with changing requirements. Complying with RoHS and WEEE regulations may require review and redesign of existing products to ensure compliance – a good example of the importance of retaining documents and records, and managing access to them, as well as continuing to track changes through the new/revised product lifecycle. ELV speaks for itself in general terms of lifecycle – but may also apply to the end of component life during maintenance, and requires proper disposition of hazardous materials in all cases, along with the documentation to prove compliance. Obviously, the internal control systems are very important. A well organized and proactive system needs to be based on a closed-loop architecture that supports risk transparency, IT and business governance, corporate reporting, statutory audit guidelines and the custodianship of business rules and processes. All of these regulations require similar adherence to process and record integrity, and retention – though each set of regulations requires retention for different lengths of time. The more companies integrate lifecycle steps into the corporate compliance process, the easier it becomes to manage compliance and the less costly it is. And, clearly, the management system chosen needs to have the flexibility to handle the specifics for each industry, each set of products and each set of regulations. It also needs to have the tools necessary to adapt to changing business environments. The bottom line on regulatory compliance is ownership of the process and the tools. Each company has to comply: the risks of non-compliance are simply too high if it doesn’t. Every corporation needs to meet hard deadlines for compliance in an environment of heightened scrutiny. With those facts in mind, it pays for organizations to perform the process correctly, using a stable, scalable PLM architecture that leverages and protects previous IT and regulatory compliance investments. Footnotes: 1 AMR Research, “Spending in an Age of Compliance,” by John Hagerty and Fenella Scott, 2005, Executive Summary, pages 1-2. 2 AMR Research, “Spending in an Age of Compliance,” Figure 12, page 26. 3 AMR Research, “Spending in an Age of Compliance,” Figure 11 “Takeaway,” page 25. 4 AMR Research, “Spending in an Age of Compliance,” Table 9, “Takeaway,” page 22. 5 AMR Research, “The Product Lifecycle Management Report, 2003-2008,” May 2004. 6 AMR Research, “Spending in an Age of Compliance,” Executive Summary, pages 1-2. About Siemens PLM Software Siemens PLM Software, a business unit of the Siemens Industry Automation Division, is a leading global provider of product lifecycle management (PLM) software and services with nearly six million licensed seats and 56,000 customers worldwide. Headquartered in Plano, Texas, Siemens PLM Software works collaboratively with companies to deliver open solutions that help them turn more ideas into successful products. For more information on Siemens PLM Software products and services, visit www.siemens.com/plm. Siemens PLM Software Headquarters Granite Park One 5800 Granite Parkway Suite 600 Plano, TX 75024 USA 972 987 3000 Fax 972 987 3398 Americas Granite Park One 5800 Granite Parkway Suite 600 Plano, TX 75024 USA 800 498 5351 Fax 972 987 3398 Europe 3 Knoll Road Camberley Surrey GU15 3SY United Kingdom 44 (0) 1276 702000 Fax 44 (0) 1276 702130 Asia-Pacific Suites 6804-8, 68/F Central Plaza 18 Harbour Road WanChai Hong Kong 852 2230 3333 Fax 852 2230 3210 © 2009 Siemens Product Lifecycle Management Software Inc. All rights reserved. Siemens and the Siemens logo are registered trademarks of Siemens AG. Teamcenter, NX, Solid Edge, Tecnomatix, Parasolid, Femap, I-deas and Velocity Series are trademarks or registered trademarks of Siemens Product Lifecycle Management Software Inc. or its subsidiaries in the United States and in other countries. All other logos, trademarks, registered trademarks or service marks used herein are the property of their respective holders. www.siemens.com/plm 8/09